Expected Findings
- `alg=none` tokens are accepted as valid.
- `kid` is concatenated into a file path with no normalization, enabling traversal.
- HS256 signing key is leaked through a debug endpoint.
JWT Verifier
JWT Alg Confusion
The verify endpoint trusts the `alg` field from the token header, accepts `alg=none`, and follows `kid` paths into arbitrary files.
Verify token
Primary Flows
- Verify POST a JWT body, alg=none accepted
- JWKS debug Returns symmetric secret
- kid traversal Demonstrates kid path concat
Signals
Verifier
if header.alg == "none" { return claims, nil }
kid
key = readFile("/keys/" + header.kid)